AppliedMicro Trusted Management Module

Transcription

1 AppliedMicro Trusted Management Module Majid Bemanian, Sr. Director of Marketing, Applied Micro Processor Business Unit July 12, 2011 Celebrating 20 th Anniversary of Power Architecture 1

2 AppliedMicro (APM) at a Glance Headquarters: Sunnyvale, CA Global Footprint: N.A., Europe, Asia Employees: 607 Market-cap: $612M Ticker: AMCC FY10 Revenues: $248M 2

3 PACKETPRO Feature Summary Market Drivers Bandwidth Explosion Video Social Networking Device Explosion Processor Requirements Deterministic Behavior QM/TM, Offloads Converged Networks Users & Data on the Move Access any data, any device Reduce Latency High Availability End to End Security Integrated Offload, QM/TM AMP through SLIMPRO Cryptographic Boundary Energy Management PoE Energy Efficient Ethernet Concurrency & Independency Multi-Core AMP, SLIMPRO Extend Power Management SLIMPRO 3

4 Typical Enterprise System 2-5 cards Backplane / Redundant Switch Fabric Switch Fabric (XBar) DDR DDR Backplane Serdes Management Processor 8+ Cores 2.5+ GHz Management Module Routing Tables Control Plane 1.0+ GHz 2-4 Cores Mem Mem Mem Mem NPU / Data Plane Processors Line Module Control Plane 1.0+ GHz 2-4 Cores Mem Mem Mem Mem ASIC / ASSP / Soft Silicon Line Module DDR DDR 10/40/100 10/40/100 10/40/100 10/40/100 Platform Security Fiber / Copper Fiber / Copper Payload Security 4

5 PACKETPRO Multi-Core Processor Family 32b 465 PPC 1.5GHz 256KB L2 MutiCore 32b 465 PPC 1.5GHz 256KB L2 High Speed I/O PCIe G2 SATA GE (EEE) Classifier Traffic Manager Packet DMA Off-loads & Management Classifier Security Engine Interrupts MPIC Queue Manager SLIMPRO Packet Parser, Crypto Engine. RTC, PKA/TRNG, SecRAM, EFUSE Non-blocking Bridge Fabric Non-blocking Bridge Memory Queue 16/32/64 bit Memory Controller w/ ECC DDR2/3, 1600Mbps PPC Mailbox GPIO SPI I 2 C Standard IO LCD CNTRL UART USB2.0 JTAG Trace Clocks Flash IO 5

6 PACKETPRO Unique Differentiators Crypto Boundary Power Management Secure Boot Crypto Engine WoX Wake on LAN, USB, GPIO, Standby Power mode Protected Private Keys Soft SKU Dynamic Freq. Scaling Energy Efficient Ethernet Independent Boot Crash Recovery/ Fail Over Look-aside Security & Classification QM/TM OS / Code Protection Resource Virtualization IPsec MACsec In-Line Classification High Availability & Concurrency Hierarchical Offloads 6

7 Multi-Layered Security Crypto Engine AES-GCM, AES-CBC modes of encryption AES-GMAC of authentication SHA1 engine for hash generation PKA High Performance large-vector arithmetic functions Unsigned value modular exponentiation Including Chinese Remainders Theorem (CRT) Modular inversion ECC point addition/doubling on elliptic curve ECC point multiplication on elliptic curve AES-GCM, AES-CBC modes of encryption Crypto Offlaod TRNG ANSI X9.17 Annex C Inline IPSec AES-GCM; AES-GMACTunnel and Transport modeesp Encryption and Authentication IPv4 and IPv6 Security Associations Wire speed operation In-Line Security Packet Pro SoC Look aside Security Encryption Algorithm DES, 3DES, AES-128/192/256, ARC4 Hash Algorithm SHA-1/ 224/ 256/ 384 /512 AES-XCBC-MAC GHASH SSL /TLS /DTLS MACSec 7

8 SLIMPRO Scalable Light-weight Intelligent Management Processor embedded in a Secure Green Zone Gated and guarded from any on-chip or external access / attacks Secure connections to remote agents SLIMPRO Application Power Management Secure Boot Trusted Management Module Secure Debug Concurrent & Secure AMP Description Ultra Fine SoC Frequency, Voltage and feature control. 200mW to full operation. Authenticate OS, System S/W and Loader. Real-time Security Agent On-chip protected Private / Public storage; Crypto Engine. Tamper Detection and Response Secure remote monitoring, debug, update and reporting Secure domain protection. Concurrent and independent MultiCore operation NV Storage 32bit Processor Mail Box & Gateway MultiCore SoC Fabric Secure Green Zone PKA/ TRNG Crypto Security Engine I/D RAM I2C RTC ROM GPIO Secure Ethernet Traffic 8

9 APM Trusted Management Module (TMM) Securely store keys, passwords and digital certificates to support Platform Integrity and Privacy Security Measure Encrypted Image Secure Boot Secure Communication Runtime Integrity Check Secure Software Updates Secure Debug Hardware Integrity Protecting Against Using symmetric bulk decryption provide code secrecy Leveraging PKA hardware acceleration authentic the origin and the integrity of the image before execution Communicate with a remote host using secure communications Perform checks on system in order to reduce attack surface area Decrypt and authenticate new software images before updating Remote management and debug Authenticate System Components 9

10 SLIMPRO Trusted Management Module Dedicated Secured Processor Core for Embedded Security Levels of Security Offerings Secure, Protected DRAM Operation Key Zeroization Tamper Detection Detection of Violations or Breaches Tamper Response Secure Boot Decrypt & Authentication Secure Communication Runtime Integrity Check Secure Protected Tamper-Proof Zone Protected Real Time Clock Code Authentication Flow Cryptographic Boundary 10

11 Securing the borders Processor Core(s) Secured ROM RAM NV Storage GE/10GE PCIe Gen I/II USB SATA DDR3 Memory Crypto Engine CPU I2C Controller I/O DDR3 NAND/NOR Bridge (Fence) PKA/ TRNG RTC Flash Hardware Offloads Security Classifier Queue Manager Traffic Manager 11

12 Symmetric Boot OS Independence Independent Boot process CPU cores operate independent of SoC peripherals Reset of one CPU doesn t effect the other Interrupts are routable through MPIC PPC0 L2 USB 1 UART1 GE 1 Boot Source SLIMpro DDR3 Common System Configuration Secure Perimeter Configure Clock and Power Supply Bridge Initialization Init QM, MPIC Init PPC1 L2 Unencrypted / Authenticate Boot Loader Take PPC0 & PPC1 out of Reset USB 2 UART2 PCIe 12

13 Code Protection Symmetric bulk decryption Secure Code Validation & decryption Begin Boot Process E-Fuse Secure Boot Enable Y SLIMpro Exec. Code From on-chip ROM Load Encrypted Image from Boot Device Decrypt & Authenticate SLIMpro Image Authentication Pass? N Y N Boot Standard SLIMpro Boot Power PC Core(s) Load Image to SLIMpro Instruction RAM Jump to Authenticated Code Execution Load & Lock SoC Configuration Load Encrypted PPC Boot Image Decrypt & Authenticate Image Authentication Pass? Y N Boot Loader Validation E-Fuse Configured Fail Action E-Fuse Configured Fail Action Boot Power PC Core(s) 13

14 Secure Loader Packet Pro 2 nd Stage Boot Loader PPC PPC (4) 1 st Stage Boot Loader (1) (2) SLIMpro Secure RAM On-Chip- Memory (JTAG Disabled) (3) E FFFF FFFC Encrypted Flash DDR3 (5) 2 nd Stage BL (6) (1) block Copy (2) Build1 st Stage BL (3) Point PPC Reset Vector (4) Copy 2 nd Stage BL (5) Decrypted 2 nd Stage BL (6) Jump to 2 nd Stage BL 14

15 OS / Application Loader OS Image Messages Mail Box SLIMPro Secure SRAM Mail Box Crypto Engine PPC PPC Block Block Block OS Image Header DDR3 Application Image(s) Packet Pro Block Block Block Application Image(s) Header Encrypted Flash 15

16 Run Time Integrity Check DMA OS image to SLIMpro Secure RAM Generate per block Compare Generated with Flash Create Exception or Pass Block (0) Block (1) Block (m) DDR3 OS Image Messages Mail Box SLIMPro Timer Secure SRAM Mail Box Crypto Engine PPC PPC Packet Pro OS Image Flash Encrypted Flash OS Image 16

17 PACKETPRO Feature Summary Market Drivers Bandwidth Explosion Video Social Networking Device Explosion Processor Requirements Deterministic Behavior QM/TM, Offloads Converged Networks Users & Data on the Move Access any data, any device Reduce Latency High Availability End to End Security Integrated Offload, QM/TM AMP through SLIMPRO Cryptographic Boundary Energy Management PoE Energy Efficient Ethernet Concurrency & Independency Multi-Core AMP, SLIMPRO Extend Power Management SLIMPRO 17

18 Questions & Answers During the webinar: Send questions to Host in the Chat Window. AppliedMicro Proprietary & Confidential 18

19 Thank you! Celebrating 20 th Anniversary of Power Architecture 19